McAfee nos informa de un nuevo bicho controlado a partir de los DATS 4362 de esta próxima noche:
Descripcion de McAfee:
__________________________________________
Trojan Name Risk Assessment
Multidropper-KN Corporate User : Low
Home User : Low
Trojan Information
Discovery Date: 05/19/2004
Origin: Unknown
Length: 17,520 bytes (Zipped) 25,952 Bytes (UnZipped)
Type: Trojan
SubType: Dropper
Minimum DAT: 4362 (05/19/2004)
Updated DAT: 4362 (05/19/2004)
Minimum Engine: 4.2.40
Description Added: 05/19/2004
Description Modified: 05/19/2004 10:54 AM (PT)
Description Menu
Trojan Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Trojan Characteristics:
This trojan has known to have been spammed out to several email addresses.
Subject of message:
Important news about our soldiers in IRAQ!!!
Message body:
Seven officers was lost today,
follow the link to get the full story.
(Url link pointing to an innocent page showing stats on Iraqi soldiers killed).
Attachment: (Zip attachment)
IMPORTANT INFORMATION.ZIP (17,520 bytes).
Execution
When run, the trojan drops both Backdoor and a Password Stealing components on to the victims computer.
The following files are dropped on to the victims computer:
into the %windir%\system32\ folder:
KERNEL32.WXD - This file holds additional information of the victims computer, such as passwords to certain applications and POP3 accounts.
RASCOM.DLL - DLL used by Backdoor-CEX .
RSV32.EXE - This is the Backdoor component which is automatically executed by the dropper file and detected as Backdoor-CEX trojan with the 4362 DATS and above.
The following Registry key(s) is added so that the Backdoor is executed after a system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\NT\CurrentVersion\Winlogon
"Shell" = "explorer.exe %windir%\system32
\rsv32.exe"
\rsv32.exe"
\rsv32.exe"
KEYBRD32.SYS is dropped into the %windir%\system32\ drivers folder - This program is capable of hiding aplications which are usually visible within Task Manager.
The dropper file also attempts to drop a password stealing componet which is detected as PWS-LDPinch with the 4362 DATS and above.
Top of Page
Symptoms
New files dropped on the target machine as mentioned above.
Top of Page
Method Of Infection
This multidropper trojan serves only to drop and execute other files on the target system. It does not self-replicate. Likely distribution channels for this trojan include via IRC, via peer-to-peer file-sharing networks, as an attachment in newsgroup postings or email, etc.
Top of Page
Removal Instructions
All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.
__________________________________________
saludos
ms, 19-'5-2004
NUEVO TROYANO QUE LLEGA EN E-MAIL Y CREA BACKDOOR CEX
- msc hotline sat
- Mensajes: 93500
- Registrado: 09 Mar 2004, 20:39
- Ubicación: BARCELONA (ESPAÑA)
- Contactar:
NUEVO TROYANO QUE LLEGA EN E-MAIL Y CREA BACKDOOR CEX
msc hotline sat Virus Research Engineer
Antes de preguntar - Normas Basicas - Mensajes Privados - Repetir Temas - Continuar Temas - Titulos del Tema - Antivirus Online
Antes de preguntar - Normas Basicas - Mensajes Privados - Repetir Temas - Continuar Temas - Titulos del Tema - Antivirus Online